Ports 137, 138, 139

You guys might find this very interesting....earlier I mentioned having the Internet Assighted Numbers Authority Sitting on ports 137 138 139...for the past several days.......well guess what...They are GONE!!
Plus, gone at the same time as last night.
Note: my connection is static so this can't be targeting me in particular........also, six other people with different isp's had the IANA sitting on those very same ports
Boys and girls I have not been on the internet in a couple of years....do keep up with the news...but, this......hmmmmmm
It looks like a very deliberate attempt to enter a person's computer by NetBios....an it was much to obvious for the isp not to have known...an ignorred
I am not an alarmist by any definition of the word.....now you guys can hash this over an come up with your own opinion......after four days of that foolishness..my opinion is made.
Every isp keeps a record of every website a person visits...so if "they" wanted that information it was there to easily obtain.......without coming in by NetBios....

What has been noticed since the problem first began is that the Internet Assigned Numbers Authority is listening on ports 137,,138,,139....at the same time as the isp....normally its just the isp listening on those ports.

Click to expand...

Could you clarify what you are seeing?
Is your system listening on 137, 138, 139 or are you just seeing scans to these local services? IANA or your ISP will not be listening on these ports.

on this connection the isp has always listened on those ports....the same with others I know using the same isp

Now comes the interesting part: as best that I can digest the info.

rpcss.(exe) = DCOM....is the bandit

rpcess udp 137
rpcess udp 138
rpcss tcp 139

rpcess tcp local host 1025
rpcess tcp all: 135

remote url <169.254.245.234>

research reveals it could be exploited (have blocked any exploiting) nothing going to getin/out of those ports.
M$ is awear of the possible exploit......offers no answer to prevent it........some work arounds but real touchy....could distroy an NT os......BUT WHY THE LISTENING TO IANA?? An why Here once..gone next....my OS hasn't changed overnight> my last M$ update did install a newer DCOM.........hmmmm
I am on a Unisys.....the exploit first discovered on Unix.....my os win98se....very tweaked...which has never caused any problems......an never before experience this sort of behavior.........

Research reveal that ALL flavors of Windows has this....95---XP will try to locate the M$ explanation....not tonight...exhusted...

Have also tryed 3 set of firewall rule sets....its not a firewall issue....but only the firewall is preventing the exploit.......so-say that many others using ZA has notice the issue...DCOM....but not the URL...I don't use ZA to verify if it does or not.

BUT WHATS WITH THIS IANA??.....since this was first noticed I have looked at 14 other computers....an ALL experiencing the same.

"Is your system listening on 137, 138, 139 or are you just seeing scans to these local services? IANA or your ISP will not be listening on these ports""

LISTENING= continuous......for six days...

P.S.> absolutely nothing done on this computer that could remotely be considered improper......computer has not been used in years until a few days ago....about the time I came to this forum. This machine is clean.

Rpcss.exe Consumes 100% CPU Due to RPC Spoofing Attack
View products that this article applies to.
This article was previously published under Q193233
SYMPTOMSSystem and network performance could degrade and the Rpcss.exe process could consume 100 percent of CPU time. Analyzing the network with a protocol analyzer shows multiple RPC REJECT packets (addressed to UDP port 135) between two or more systems because of an RPC spoofing attack.
CAUSE >>>>>CLIPPED>>>wont post exploit info

The above post was just a quick one that relates to the NT os....but other OS'S have this also.

*** DID'NT M$ say they patched this?? Well the patch sure as hell does not work!!!!

quoting: shunned link=board=23;threadid=24741;start=15#msg145925 date=1079592051]on this connection the isp has always listened on those ports....the same with others I know using the same isp

Now comes the interesting part: as best that I can digest the info.

rpcss.(exe) = DCOM....is the bandit

rpcess udp 137
rpcess udp 138
rpcss tcp 139

rpcess tcp local host 1025
rpcess tcp all: 135

Click to expand...

Well it is quite normal for systems to be listening on these ports/services, especially if you have filesharing/netbios over TCP enabled. It will be your system listening on these ports/services, not sure how you figure this is your ISP (Internet Service Provider). This can be controlled quite easily with a firewall and/or system configuration.

remote url <169.254.245.234>

Click to expand...

This IP falls in a range that is reservered for what is referred to as Autoconfiguration IP Addresses (169.254.0.0 - 169.254.255.255).

"Addresses in the range 169.254.0.0 to 169.254.255.255 are used automatically by some PCs and Macs when they are configured to use IP, do not have a static IP Address assigned, and are unable to obtain an IP address using DHCP.

This traffic is intended to be confined to the local network, so the administrator of the local network should look for misconfigured hosts. Some ISPs inadvertently also permit this traffic, so you may also want to contact your ISP. This is documented in RFC 3330." - iana

Perhaps this is where you are getting your reference to iana. If you do a who is look up on an address in this range it will come back to them.

No file sharing.......firewall installed.....ISP listening (normal behavior) (verified)
The IANA is something new...but I DO UNDERSTAND YOUR POINT......hmmmmm, its not the rule set...this only recently began...never happened before using the same rule set...........okay, I'll switch rules and see the results......
Thanks CM...will get back on this....loading websites extremely slow right now with 58% memory free...78% resources free....should be ziping down the pike.....but not.

Just spoke with my ISP.....afters I changed rule sets.....now the issue is gone!....hopefully its totally resolved........
Looks like I did this to myself with to strict firewall rules....actually I hope it was my own doing...that can be corrected....
Still have rpcss listening on TCP all:135
and localhost:1026.....which as I understand is normal. But I have to say that it wasn't like this prior to the M$ update...never had any such problems....when it appeared is when I changed rules.. but its resolved.
Would not have realized the answered had not you posted....appreciate your time CM

After my last post..I rebooted an all was well.........shut-down and rebooted AN THE PROBLEM WAS BACK AGAIN.......rebooted Again..an the problem is back again.
Was not online any of the times....its an OS issue..........ENOUGH!.....time for a complete RE-FORMAT.....wont put up with this .

Its most doubtful that I will return to this forum in the near future.....was enjoyable....but I really don't spend much time on the internet....the past few days were the exception..........now this Bug thingy....well, its just worth the time and energy......

Very nice of you to drop in this way....have not re-formated that machine as yet but planned for tommorow.
Did connect the machine a few times an the situation totally baffles me...sometimes that thingy is listening other times its not.....supposedly its part of the os....but never ever seen this happen on any os....an I've tryed a few.
Twice I dropped into safe mode and wiped the un-used space on C drive....after that the thingy disappears...only to return after a couple of boots. Even checked for keyloggers.
I have the means of preventing the thingy from starting up..it starts at start....but watching it for now. Also, even when not contacted to the internet "something" is trying to send-out...... I know what rpcss exe is and what it does...but never had it mis-behave this way. Its not getting out.....an if by chance it did the submask is blocked.
so...all in all....I still have no answers. A re-format is drastic but can have it all complete in a couple of hours...updates included...much less time than I've spent monitoring this thingy. The computer is rather mixed-flavored...alittle win95..win98..win2000.winMe an a dash of odds and ends... it all works super nice...no complaints until the thingy presented itself.....
OT: my friend thank you for your kind efforts and extended invitation.....I consider it an honor to have shared with you....unfortunately, the internet is not the enjoyment it once was....an my interest has faded. I don't experience the mis-haps I notice others do but its a matter of luck only.
Persons like yourself..LWM.. Pieter,. PW,. have a much firmer grip on the situation than I ever could....my internet connection was only for a couple of weeks......am my arrival here was by way of a friend......super forum.
An very best to you CM